PHP assistance?

[Vanhishikha]

How would I go about the following problem?

For my final project for Univesity, I chose to create an E-commerce based wbesite and I have a login page for the Admin back-end, but obviously if you know the extensions such as link_here/admin.php you can still access the back-end through that page.

How would I go about forcing the user to log-in through the log-in page created if you try to just type in that URL?

As obviously (this is for a real world client) and that would be a major security flaw.

So for example:

User (somehow) knows the full link to access the admin side of the wesbite > types in www.blabla.com/admin.php > when this page loads he is linked to the Admin login page > and now he is forced to login before he can enter that admin page.

 

[Vanhishikha]

Sorry if I've got this wrong, but this is your final year Uni project? This is for a real world client? ... and only now you're thinking about back-end security?

The security logic should be comprehensively planned from day one, especially when dealing with online commerce.

It's only partial e-commerce for a very small company that wants the ability for it's users to look at their products online and place a quote through a contact form.

user logs-on > browses products cat > selects product > goes to estimation page > sees how much it would be to either a.) buy a product/service or b.) use a service > using php that service is calculated and then sent to a.) the db and b.) the clients e-mail.

What happens when you have logged the user in? Do you start a new session for them when they have entered a correct username/password?

Yeah mate, a session is started and upon successful logout the session is then ended.

 

[Vanhishikha]

Sorted it out using sessions, thanks guys, much obliged.